Bug#672310: Please enable hardening build flags

Sun, 13 May 2012 16:33:21 -0700 

> On Thu, May 10, 2012 at 12:59:00AM +0300, Touko Korpela wrote:
> 
> > Severity: important
> 
> Please file bugs with realistic severities.

FWIW, bugs for release goals qualify for severity:important.
 
> > Hardened build flags are a release goal for Wheezy. I don't know why this
> > isn't reported before, because zlib qualifies for that goal.
> > I tested with "hardening-check" script (from hardening-includes) that
> > versions 1:1.2.6.dfsg-2 and 1:1.2.7.dfsg-1 aren't hardened (amd64).
> 
> Well, I'm certainly not going to do anything with this before the
> current version propagates to testing since it has actual bug fixes in
> it.  Frankly given the extensive attention zlib gets I'm not sure it's
> a big deal for zlib itself.

Proposed patch attached.

Cheers,
        Moritz

diff -aur zlib-1.2.7.dfsg.harden/debian/rules zlib-1.2.7.dfsg/debian/rules
--- zlib-1.2.7.dfsg.harden/debian/rules	2012-05-03 11:08:00.000000000 +0200
+++ zlib-1.2.7.dfsg/debian/rules	2012-05-14 01:26:12.000000000 +0200
@@ -17,7 +17,8 @@
 DEB_HOST_ARCH_OS    ?= $(shell dpkg-architecture -qDEB_HOST_GNU_OS)
 DEB_HOST_MULTIARCH  ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 
-CFLAGS = -Wall -g -D_REENTRANT
+CFLAGS = `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPLAGS` -Wall -D_REENTRANT
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
 
 # binutils doesn't supply the prefixed version normally like GCC does so
 # we can't just unconditionally use DEB_HOST_GNU_TYPE-ar
@@ -71,7 +72,7 @@
 
 	if [ ! -f Makefile.stash ]; then cp Makefile Makefile.stash ; fi
 
-	AR=$(AR) CC="$(DEB_HOST_GNU_TYPE)-gcc" CFLAGS="$(CFLAGS)" uname=GNU ./configure --shared --prefix=/usr --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)
+	AR=$(AR) CC="$(DEB_HOST_GNU_TYPE)-gcc" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" uname=GNU ./configure --shared --prefix=/usr --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)
 
 	touch $@
 
@@ -81,7 +82,7 @@
 	mkdir -p debian/64
 	cp -r $(COPYLIST) debian/64
 	cd debian/64 && AR=$(AR) CC="$(DEB_HOST_GNU_TYPE)-gcc $(m64)" \
-	    CFLAGS="$(CFLAGS)" \
+	    CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
 	    uname=GNU ./configure --shared --prefix=/usr  --libdir=\$${prefix}/usr/lib64
 	touch $@
 
@@ -91,7 +92,7 @@
 	mkdir -p debian/32
 	cp -r $(COPYLIST) debian/32
 	cd debian/32 && AR=$(AR) CC="$(DEB_HOST_GNU_TYPE)-gcc $(m32)" \
-	    CFLAGS="$(CFLAGS)" \
+	    CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
 	    uname=GNU ./configure --shared --prefix=/usr --libdir=\$${prefix}/usr/lib32
 	touch $@
 
@@ -101,7 +102,7 @@
 	mkdir -p debian/n32
 	cp -r $(COPYLIST) debian/n32
 	cd debian/n32 && AR=$(AR) CC="$(DEB_HOST_GNU_TYPE)-gcc $(mn32)" \
-	    CFLAGS="$(CFLAGS)" \
+	    CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
 	    uname=GNU ./configure --shared --prefix=/usr --libdir=\$${prefix}/usr/lib32
 	touch $@
 
Nur in zlib-1.2.7.dfsg/debian: rules~.

Reply via email to